nftables - bunnyamin/bunnix GitHub Wiki
Net Filter Tables
- Configure /etc/nftables/router.conf
| Command | Example | Comment |
|---|---|---|
| List current parsed and loaded rules. | nft list ruleset |
|
| Send variable to configuration file | nft -D var1=value -D var2=1.2.3.4 -f /etc/nftables.conf |
|
| Test configuration | nft -cf /etc/nftables.conf |
Data structure
- Data types
- It is not possible to nest data types that are to be concatenated?
Example
define wan_ipv4 = 192.168.0.1
define rng_ipv4 = 192.168.0.1-192.168.0.255
set lan_ipv4 {
type ipv4_addr
# Or
typeof ip saddr
flags interval
elements = { $wan_ipv4, $rng_ipv4, 192.168.1.101-192.168.1.255 }
}
# Defined types cannot be in sets or ranges?
map package_tcp {
type ifname . ipv4_addr . inet_service . ipv4_addr . inet_service : verdict
typeof iifname . ip saddr . tcp sport . ip daddr . tcp dport : verdict
elements = {
enp0s0 . 192.168.0.101 . 80 . 192.168.0.102 . 80 : accept
}
}
table ip filter {
chain input {
ip saddr @lan_ipv4
}
}
Debug
Show syntax errors on failure to start NFTables service:
-
systemctrl status nftables -
systemctrl -xeu nftables -
Enable IP forwarding
/etc/sysctl.d/30-ipforward.conf
Log errors:
log prefix "[nftables] Inbound Denied: " flags all counter dropjournalctl -k | grep "Inbound Denied: "
| Event | Error | Cause | Consequence | Remedy |
|---|---|---|---|---|
nft -D ... |
Error: syntax error, options must be specified before commands |
Escape hyphens. That is, nft \-D ... |
Example
A setup where a default configuration is loaded at startup, before network is up, and extended or replaced by another configuration after the network is up. If the secondary configuration fails for any reason the default configuration is always applied.
The default configuration lock downs all connections with exceptions for what is necessary to setup local network.
The configuration that extends or replaces the default configuration. It requires information about network IP addresses.